MALICIOUS
120
Risk Score
Malware Insights
MITRE ATT&CK
T1566.002 Spearphishing Attachment
T1059.001 PowerShell
The PDF contains a critical heuristic firing for a malicious redirector link, specifically pointing to 'https://ttraff.ru/wb?keyword=foxit%20reader%20pdf%20printer'. Additionally, it exhibits characteristics of a PDF link farm, with numerous embedded links, including one to 'https://cdn.shopify.com/s/files/1/0434/3654/0056/files/gefesetup.pdf'. The document body, though heavily obfuscated, also contains these URLs, suggesting the primary intent is to redirect the user to malicious infrastructure.
Heuristics 3
-
PDF links to known malicious redirector infrastructure critical PDF_MALICIOUS_REDIRECTOR_LINKPDF contains a clickable URI to redirector infrastructure used by a known malicious PDF SEO/adware delivery campaign. These documents typically rely on user interaction and redirect chains rather than a PDF parser vulnerability.
-
Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARMSmall PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
-
Embedded URL info EMBEDDED_URLOne or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.URL https://ttraff.ru/wb?keyword=foxit%20reader%20pdf%20printer
- http://files.miekemanschot.com/uploads/1/3/1/4/131483305/5351439.pdf
- http://files.zitascakes.com/uploads/1/3/0/8/130874180/d0ff5f7756.pdf
- http://files.moonlitdreamspublications.com/uploads/1/3/0/8/130874025/buduweza.pdf
- http://files.emilymclaughlintravels.com/uploads/1/3/1/8/131856706/d6e33b107a7748.pdf
- https://cdn.shopify.com/s/files/1/0434/3654/0056/files/gefesetup.pdf
- https://cdn.shopify.com/s/files/1/0437/4901/5701/files/84825577533.pdf
- https://cdn.shopify.com/s/files/1/0434/9722/6402/files/11838597560.pdf
- https://cdn.shopify.com/s/files/1/0427/8052/4710/files/71469793809.pdf
- https://cdn.shopify.com/s/files/1/0430/9526/1348/files/48449857878.pdf
- https://cdn.shopify.com/s/files/1/0428/9835/8432/files/jokopewizemaw.pdf
- https://cdn.shopify.com/s/files/1/0433/5170/3706/files/cat_face_emoticon.pdf
- https://cdn.shopify.com/s/files/1/0434/5082/6919/files/52334930852.pdf
- https://cdn.shopify.com/s/files/1/0437/6189/3534/files/60886859160.pdf
- https://cdn.shopify.com/s/files/1/0435/1367/5928/files/92148730007.pdf
- https://cdn.shopify.com/s/files/1/0432/9196/7652/files/96685078023.pdf
- https://cdn.shopify.com/s/files/1/0431/6089/5650/files/32242231181.pdf
- https://cdn.shopify.com/s/files/1/0433/0933/4696/files/zomowonibixaridases.pdf
- http://www.w3.org/1999/02/22-rdf-syntax-ns#
- http://purl.org/dc/elements/1.1/
- http://ns.adobe.com/pdf/1.3/
- http://ns.adobe.com/xap/1.0/
- http://ns.adobe.com/xap/1.0/mm/
- http://ns.adobe.com/xap/1.0/rights/
Extracted artifacts 4
Files carved from inside the sample during analysis.
| Filename | Kind | Source | Size |
|---|---|---|---|
font_00_sfnt_off00005a1e.binb975f5c53e486211b47471497982b02fb04f7d343d008e5b2de984c63ba49a36 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x5A1E | 4636 bytes |
font_01_sfnt_off000069e5.bincf50d13c5c21d2e34fba0d9dd21119d4839fc35fdaebfe62cbacf51850cc328d |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x69E5 | 1936 bytes |
font_02_sfnt_off00007323.bin30242fefc7f2f1ea4fb086f3515da98b5be2071dce00fbbdb7aa80b683ef5ec2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x7323 | 9508 bytes |
font_03_sfnt_off000093a6.bin9f355172d696dda274cac500966718f112ce76951f19577ac4888987ea6471b2 |
pdf-font-stream | PDF embedded font (sfnt) at offset 0x93A6 | 4324 bytes |
Open this report in the interactive analyzer, or submit your own file for analysis.